Brexit and the GDPR: What Your Organisation Needs to Know

Published on 20th March 2017

For some time, there has been confusion about Brexit and the GDPR. But with the deadline for the General Data Protection Regulation (GDPR) getting ever closer, it’s time for enterprises to begin preparing.

Brexit and the GDPR: Timing is everything

At face value, the immediate implications of Brexit and the GDPR may not seem that important. After all, when the UK triggered Article 50 on March 29th 2017, and began the process of leaving the EU, nothing seemed to happen. Adding to the confusion, there is no clear picture of what will replace the current rules and regulations when that process is eventually complete.

However, when it comes to the GDPR, it pays to prepare in advance. One thing is certain: the GDPR comes into force on 25th May 2018. Even taking the most ambitious timelines into account, the Brexit process is likely to take until at least 2019 to negotiate. The eagle-eyed amongst you will have noticed an overlap. The UK will still be a member of the EU when the regulation is rolled out. What does this mean for your organisation? Well, subsequently, all UK enterprise will have to adhere to it.

Post-Brexit, the terms negotiated between the UK and the EU will inevitably affect the way the UK continues to comply with EU laws. However, the GDPR applies to any organisation processing EU citizens’ data, regardless of EU membership or geographical location. Therefore, if your organisation interacts with the EU in any way, you need to be compliant with GDPR.

What Next

The GDPR widens the definition of personal data. It also tightens the rules for obtaining valid consent to use of that data. This means that even if your company currently complies with existing Data Security laws, you may risk non-compliance with the GDPR.

As an example, let’s look at the definition of personal data:

From 25th May 2018, the classification of personal data includes anything that can identify an individual. For the first time, this includes genetic, mental, cultural, economic or social information. And you need valid permission to use it. So, if you store or process this data without valid permission your organisation is at risk.

Importantly, the burden of proof lies with you. The GDPR requires that all organisations are able to prove clear and affirmative consent to process the data they hold. Additionally, proof of permission also applies to existing customer and client data. So, it’s important to make sure your existing contacts know and approve of the way you use their information.

Going forward, this affirmative consent will be a requirement for any company that processes the data of EU citizens. This means, that even after Brexit, companies wishing to do business with countries inside the EU must comply with the GDPR. The ICO has made it crystal clear that Brexit will not exempt UK businesses from these regulations when dealing with EU data.

Some Key Changes to Data Privacy

Right to Be Forgotten: Also known as ‘Right to Erasure’. This means that Customers can request your company to delete all personal data held on them. However, the right to erasure does not provide an absolute ‘right to be forgotten’. Instead there are certain circumstance where customers or individuals have a right to have personal data erased and to prevent processing in specific circumstances. These include: when the individual withdraws consent, where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed, or the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).

Transferral of Data: Potentially important when considering Brexit and the GDPR are the new regulations regarding the transferral of data. The GDPR will impose restrictions on the transfer of personal data. Restrictions will also apply to data stored outside the European Union and to third-party countries or international organisations. This will ensure that the level of protection of individuals afforded by the GDPR is not undermined. Transfers may be made where the Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection. This also applies to any offices your company has outside of the EU. So it’s important to make sure processes and systems are compliant in advance.

Accountability Principle: The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles. It states explicitly that this is your responsibility. To demonstrate you comply you must: implement internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies. Additionally, where appropriate, you should appoint a data protection officer.

Data Breach Notification: Going forward, companies will have 72 hours to report a data breach to regulators. This deadline begins from the moment you become aware of a data breach. It will, possibly, involve making a public declaration. You have to notify the relevant supervisory authority of a breach. And only where it is likely to result in a risk to the rights and freedoms of individuals. This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft.

Fail to prepare, prepare to fail

Currently, 50% of organisations feel that they will not be able to fulfil the requirements set out by the GDPR. It’s hard to tell if this lack of preparedness is down to the hope that Brexit and the GDPR would cancel each other out. With Brexit providing a convenient excuse to halt the application of the new processes required by the 260 page GDPR document, perhaps. Or whether there has simply been a lack of general awareness and information on what the regulation means for enterprise.

Whatever the case, companies who fail to prepare for the implementation of the GDPR are at risk. Organisations in breach of the GDPR can face fines of up to €20,000,000, or 4% of global annual turnover.

So, How You Can Prepare?

So, the next question is, how can you prepare for Brexit and the GDPR? The first step is to conduct a GDPR readiness assessment. This will show how aligned your current policies and procedures align with the new regulation. A readiness assessment provides a clear understanding and visibility of an organisation’s current level of compliance. It will provide recommendations for change, and identify any high impact risk areas to address in the short term.

Our GDPR readiness work packages offer organisations the chance to see how prepared they are for the implementation of the new data protection regulations.

This article was originally published on March 20, 2017. It has been updated to reflect recent announcements regarding Brexit and GDPR.